redirects, template injection

Author: netcode

README.md

@@ -1,2 +1,13 @@
 # crazy-vulnerable-nodejs-application
 CVNA
+
+
+[ ] Command Injection 
+[ ] Loop Bound Injection
+[ ] NoSQLI 
+[ ] Unsafe Redirects
+[ ] ReDoS
+[ ] SQLI
+[ ] SSRF
+[ ] XSS
+[ ] XXE

index.js

@@ -4,7 +4,7 @@ const bodyParser = require('body-parser');
 const app = express()
 const port = 3000
 
-
+app.set('view engine', 'ejs'); //for template injection
 app.use(bodyParser.json());
 
 app.get('/', (req, res) => res.send('Hello World!'))

views/index.ejs

@@ -0,0 +1,3 @@
+<!-- partials/header.ejs -->
+
+Application home

views/partials/header.ejs

@@ -0,0 +1,3 @@
+<% if (user_name) { %>
+    <h2>Hello <%- user_name %></h2>
+<% } %>

vulnerabilities/exec.js

@@ -5,7 +5,7 @@ const { exec, spawn }  = require('child_process');
 
 
 router.post('/ping', (req,res) => {
-    exec(`${req.body.url}`, (error, stdout, stderr) => {
+    exec(`${req.body.url}`, (error) => {
         if (error) {
             return res.send('error');
         }

vulnerabilities/redirect.js

@@ -0,0 +1,20 @@
+
+const express = require('express');
+const router = express.Router()
+
+router.get('/login',function(req, res){
+    let followPath = req.query.path;
+    if(req.session.isAuthenticated()){
+        res.redirect('http://example.com/'+followPath); //false positive
+    }else{
+        res.redirect('/');
+    }
+}); 
+
+router.get('/goto',function(req, res){
+    let url = encodeURI(req.query.url); //vulnerability
+    res.redirect(url);
+}); 
+
+
+module.exports = router

vulnerabilities/template-injection.js

@@ -0,0 +1 @@
+WIP

vulnerabilities/xss.js

@@ -6,4 +6,9 @@ router.get('/greeting', (req, res) => {
     res.send('<h1> Hello :'+ name +"</h1>")
 })
 
+router.get('/greet-template', (req,res) => {
+    name = req.query.name
+    res.render('index', { user_name: name});
+})
+
 module.exports = router